create account form

[truekush]

i found this form in none working position and i edited it to make all errors go away and i also updated it so it would work for wotlk....
this form is better then respora for people who create there own sites because it is easier to integrate it into the site.

Code:

 <?php


$realmd = array(
'db_host'=> 'localhost', //ip of db realm
'db_username' => 'user',//realm user
'db_password' => '',//realm password
'db_name'=> 'realmd',//realm db name
);



function check_for_symbols($string){
$len=strlen($string);
$alowed_chars="abcdefghijklmnopqrstuvwxyzæøåABCDEFGHIJKLMNOPQRSTUVWXYZÆØÅ";
for($i=0;$i<$len;$i++)if(!strstr($alowed_chars,$string[$i]))return TRUE;
return FALSE;

}

function sha_password($user,$pass){
$user = strtoupper($user);
$pass = strtoupper($pass);

return SHA1($user.':'.$pass);
}

if (isset($_POST['registration'])){

$realmd_bc_new_connect = mysql_connect($realmd['db_host'],$realmd['db_username'],$realmd['db_password']);
$selectdb = mysql_select_db($realmd['db_name'],$realmd_bc_new_connect);
if (!$realmd_bc_new_connect || !$selectdb){
echo "Could NOT connect to db, please check the config part of the file!";
die;
}

$username = $_POST['username'];
$password = sha_password($username,$_POST['password']);

$qry_check_username = mysql_query("SELECT username FROM `account` WHERE username='$username'");

if (check_for_symbols($_POST['password']) == TRUE || check_for_symbols($username) == TRUE || mysql_num_rows($qry_check_username) != 0){
echo "Error with creating account, might already be in use or your username / password has invalid symbols in it.";
}else{
mysql_query("INSERT INTO account (username,sha_pass_hash,expansion) VALUES
('$username','$password','2')");// Insert into database.
echo "Account created.";
}


}else{

?>


<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST">
Username <input type="text" name="username">

Password <input type="password" name="password">

<input type="submit" name="registration">
</form>


<?php
// Do not remove this;)
}
?>

to use it just edit
'db_host'=> 'localhost', //ip of db realm
'db_username' => 'user',//realm user
'db_password' => '',//realm password
'db_name'=> 'realmd',//realm db name
and insert into your website.

[Xees]

there is a lot of this out there but , people could use a bit more , +Rep

[chocochaos]

I'd recommend everyone not to use this script, it's a huge security issue for your database.

Take a look at those two lines:

Code:

$username = $_POST['username'];

$qry_check_username = mysql_query("SELECT username FROM `account` WHERE username='$username'");

The username is put into the mysql query without any additional checks or escaping. Any characters can be put it it, and thus the actual query could be modified. For example, if I would enter the following as the username:

Code:

' OR username != '

I would still be able to register duplicates. This is just an innocent example. A security hole like this could potentially be used to read other people's account data or even wipe your whole account table.

More information:
- SQL injection - Wikipedia, the free encyclopedia

[Xees]

i don't got much expertise in php , XD thanks for pointing that out.

[Xees]

forgot +Rep for u for the info

[truekush]

I'd recommend everyone not to use this script, it's a huge security issue for your database.

Take a look at those two lines:

Code:

$username = $_POST['username'];

$qry_check_username = mysql_query("SELECT username FROM `account` WHERE username='$username'");

The username is put into the mysql query without any additional checks or escaping. Any characters can be put it it, and thus the actual query could be modified. For example, if I would enter the following as the username:

Code:

' OR username != '

I would still be able to register duplicates. This is just an innocent example. A security hole like this could potentially be used to read other people's account data or even wipe your whole account table.

More information:
- SQL injection - Wikipedia, the free encyclopedia

Not true

Code:

check_for_symbols($username) == TRUE || mysql_num_rows($qry_check_username) != 0)

even check my site WindFury WoW i have this create account page on there and try making a "truekush" account i guarantee u cant also there is a check so u can only use letters.



Please before u try to put down any of my other posts.....check your facts first because it obviously shows that u cant add a username with spaces and ! or even =......i checked this script before i post it, so test it before u put it down.

[andross_01]

When I submit the query it tries to take me to "my domain .com /%3C?php echo $_SERVER['PHP_SELF'] ?>"

I dont know anything about PHP... how would i fix this?

[Wethers]

Thanks may come in handy

[chocochaos]

Not true

Code:

check_for_symbols($username) == TRUE || mysql_num_rows($qry_check_username) != 0)

even check my site WindFury WoW i have this create account page on there and try making a "truekush" account i guarantee u cant also there is a check so u can only use letters.



Please before u try to put down any of my other posts.....check your facts first because it obviously shows that u cant add a username with spaces and ! or even =......i checked this script before i post it, so test it before u put it down.

That check is done after the first query. In

Code:

$qry_check_username = mysql_query("SELECT username FROM `account` WHERE username='$username'");

that check has not yet been done. Thus that query is potentially unsafe. Before you tell others they are wrong, you might want to learn what sql injection actually is and how to prevent it. Once again, check SQL injection - Wikipedia, the free encyclopedia for more info.


On a side note, your server's website doesn't seem to load for me.

[truekush]

That check is done after the first query. In

Code:

$qry_check_username = mysql_query("SELECT username FROM `account` WHERE username='$username'");

that check has not yet been done. Thus that query is potentially unsafe. Before you tell others they are wrong, you might want to learn what sql injection actually is and how to prevent it. Once again, check SQL injection - Wikipedia, the free encyclopedia for more info.


On a side note, your server's website doesn't seem to load for me.

actually i thought the same might be true when looking at it but then i relooked and even tried injecting it myself into my own site after it didnt work i released it and its even a sticky on the main mangos site now if there was a fault in this more then 1 person would be talking and believe me i always test my work when i release something.....if u feel it is wrong then go ahead and find somewhere to test it out but the server i posted before is gone now.

if you still think im wrong then go ahead and test it on my own server
http://bloodmist.uk.to/registration.php hell ill even make it easier on you....the accounts start at id 1 and end at 18.....go ahead do your worst!

[chocochaos]

I'm not a hacker, and I can't abuse this bug to do more than trigger an sql error on servers without magic_quotes_gpc enabled. Leaving this open remains a potential risk though, and I'm sure an experienced hacker wouldn't have much trouble finding a way to abuse it in a worse way.
Instead of saying it's no problem, why not just fix it? Especially when the fix is so simple.

Code:

function escape_unsafe_string($unescaped) {
if (get_magic_quotes_gpc())
return $unescaped;
else
return addslashes($unescaped);
}

$qry_check_username = mysql_query("SELECT username FROM `account` WHERE username='". escape_unsafe_string($username) ."'");

There, done. No one will be able to do anything unwanted with that.

[truekush]

I'm not a hacker, and I can't abuse this bug to do more than trigger an sql error on servers without magic_quotes_gpc enabled. Leaving this open remains a potential risk though, and I'm sure an experienced hacker wouldn't have much trouble finding a way to abuse it in a worse way.
Instead of saying it's no problem, why not just fix it? Especially when the fix is so simple.

Code:

function escape_unsafe_string($unescaped) {
if (get_magic_quotes_gpc())
return $unescaped;
else
return addslashes($unescaped);
}

$qry_check_username = mysql_query("SELECT username FROM `account` WHERE username='". escape_unsafe_string($username) ."'");

There, done. No one will be able to do anything unwanted with that.

Well thank you for doing something about it your work is much appreciated!
+Rep